-1

i have created a simple upload.php file. But i want to to create a file hosting site on which users can upload files without login/register and get download links so that others may download their file using that link. Like on datafilehost.com.

My html file is :-

<form enctype="multipart/form-data" action="upload.php" method="POST">
Please choose a file: <input name="uploaded" type="file" /><br />
<input type="submit" value="Upload" />
</form>

My simple php fie is :- 

    <?php 
 $target = "upload/"; 
 $target = $target . basename( $_FILES['uploaded']['name']) ; 
 $ok=1; 

 //This is our size condition 
 if ($uploaded_size > 350000) 
 { 
 echo "Your file is too large.<br>"; 
 $ok=0; 
 } 

 //This is our limit file type condition 
 if ($uploaded_type =="text/php") 
 { 
 echo "No PHP files<br>"; 
 $ok=0; 
 } 

 //Here we check that $ok was not set to 0 by an error 
 if ($ok==0) 
 { 
 Echo "Sorry your file was not uploaded"; 
 } 

 //If everything is ok we try to upload it 
 else 
 { 
 if(move_uploaded_file($_FILES['uploaded']['tmp_name'], $target)) 
 { 
 echo "The file ". basename( $_FILES['uploadedfile']['name']). " has been uploaded"; 
 } 
 else 
 { 
 echo "Sorry, there was a problem uploading your file."; 
 } 
 } 
 ?>

Please help me........ Thank You.

user3215072
  • 13
  • 3
  • 2
    what and where you are facing problem? – Suresh Kamrushi Jan 20 '14 at 12:38
  • surely if they uploaded an image this would just show the image rather then offer it to download? In this case the issue could be resolved using htaccess – Liam Sorsby Jan 20 '14 at 12:39
  • 3
    `if ($uploaded_type =="text/php")` – that is nowhere near to an adequate and sufficient check, it’ll blow up in your face sooner or later. I’d suggest you refrain from _“creating a file hosting site”_ as long as your knowledge is so minimal. – CBroe Jan 20 '14 at 12:40
  • 1
    Another point, using this script, if i uploaded an executable file i could do anything on your server. – Liam Sorsby Jan 20 '14 at 12:40

2 Answers2

0

echo http://'.$_SERVER['HTTP_HOST'].rtrim(dirname($_SERVER['REQUEST_URI']), '\/').'/'.$uploadpath.'

I wouldn't use your code as it's from an about.com article meant to help teach the concept of fileuploads with php, it doesn't have anywhere near the kind of security you'd need.

d.abyss
  • 204
  • 1
  • 4
  • 26
  • please escape your $_SERVER['REQUEST_URI'] using html_entities() as this could cause security issues such as xss – Liam Sorsby Jan 20 '14 at 12:46
0

The global $_FILES exists as of PHP 4.1.0 (Use $HTTP_POST_FILES instead if using an earlier version). These arrays will contain all the uploaded file information..

$_FILES['userfile']['name']

The original name of the file on the client machine. $_FILES['userfile']['type'] The mime type of the file, if the browser provided this information. An example would be "image/gif". This mime type is however not checked on the PHP side and therefore don't take its value for granted.

$_FILES['userfile']['size']

The size, in bytes, of the uploaded file.

$_FILES['userfile']['tmp_name']

The temporary filename of the file in which the uploaded file was stored on the server.

$_FILES['userfile']['error']

The error code associated with this file upload. This element was added in PHP 4.2.0

In your case u have already defined file name and path where is file sotred.

$file = $_FILES['userfile']['name'];
$path = $_FILES['userfile']['tmp_name'].$_FILES['userfile']['name'].ext;

if (file_exists($path)) {
     // show user download link
}
Ivan
  • 5,139
  • 11
  • 53
  • 86